President Trump reportedly has approved the Oracle deal for TikTok’s US operations

President Donald Trump said has has given his stamp of approval “in concept” on the Oracle bid for the U.S. operations of the wildly popular social media app, TikTok, according to a report from Bloomberg.

According to the Bloomberg report Trump said, “I have given the deal my blessing,” as he left the White House for a campaign rally in North Carolina on Saturday.

“I approved the deal in concept,” Trump reportedly said.

The spinout of TikTok’s U.S. operations from its parent company Bytedance was something that Trump administration had demanded on the grounds that the company’s data handling policies and popularity in the U.S. posed a national security threat.

The President’s push to sever the applications ties to China also followed TikTok users’ alleged prank that turned what was supposed to be a triumphal rally for the President in Oklahoma City into a Presidential campaign embarrassment that cost the job of Trump’s campaign manager, Brad Parscale.

That said, the U.S. has been looking to curtail the operations of several Chinese technology companies on the grounds that they pose security threats to the U.S. Indeed, the Presidential order that demanded TikTok’s spinout also called for the discontinuation of the U.S. operations of the messaging service WeChat, which is owned by Tencent — one of China’s largest technology companies. And the U.S. government has also put a target on the telecommunications and networking technology developer, Huawei.

With the TikTok deal set to be approved, a new company called TikTok Global will be created as part of the deal, according to statements from Treasury Secretary, Steven Mnuchin, earlier this week.

Bloomberg reported that Trump said the new company would be headquartered in Texas, would hire as many as 25,000 people and would contribute $5 billion toward U.S. education.

The bulk of TikTok’s U.S. operations are now in Los Angeles.

As the Trump Administration continues its push to disrupt the operations of Chinese tech companies in the U.S., strange bedfellows are uniting to voice opposition to the deal.

On Friday, the American Civil Liberties Union and the head of Facebook’s Instagram subsidiary both came out with statements opposing the proposed transaction.

“This order violates the First Amendment rights of people in the United States by restricting their ability to communicate and conduct important transactions on the two social media platforms,” said Hina Shamsi, director of the American Civil Liberties Union’s National Security Project, in a statement on Friday.

And the dragnet against Chinese influence through ownership of U.S. technology companies has reportedly widened to include many of the top U.S. gaming companies, which have been backed (or are wholly owned) by Tencent.

All of this could be exceptionally bad for U.S. technology businesses, as Instgram’s chief, Adam Mosseri pointed out in a series of Friday tweets.

“A US ban of TikTok would be meaningful step in the direction of a more fragmented nationalized internet, which would be bad for US tech companies which have benefited greatly from the ability to operate across borders,” Mosseri wrote.

JupiterOne raises $19M Series A to automate cyber asset management

Asset management might not be the most exciting talking topic, but it’s often an overlooked area of cyber-defenses. By knowing exactly what assets your company has makes it easier to know where the security weak spots are.

That’s the problem JupiterOne is trying to fix.

“We built JupiterOne because we saw a gap in how organizations manage the security and compliance of their cyber assets day to day,” said Erkang Zheng, the company’s founder and chief executive.

The Morrisville, N.C.-based startup, which spun out from healthcare cloud firm LifeOmic in 2018, helps companies see all of their digital and cloud assets by integrating with dozens of services and tools, including Amazon Web Services, Cloudflare, and GitLab, and centralizing the results into a single monitoring tool.

JupiterOne says it makes it easier for companies to spot security issues and maintain compliance, with an aim of helping companies prevent security lapses and data breaches by catching issues early on.

The company already has Reddit, Databricks and Auth0 as customers, and just secured $19 million in its Series A, led by Bain Capital Ventures and with participation from Rain Capital and its parent company LifeOmic.

As part of the deal, Bain partner Enrique Salem will join JupiterOne’s board. “We see a large multibillion dollar market opportunity for this technology across mid-market and enterprise customers,” he said. Asset management is slated to be a $8.5 billion market by 2024.

Zheng told TechCrunch the company plans to use the funds to accelerate its engineering efforts and its go-to-market strategy, with new product features to come.

Use ‘productive paranoia’ to build cybersecurity culture at your startup

As any startup grows, getting new products out the door and securing that next round of funding are always top priorities.

But security, all too often, falls by the wayside. After all, why would you invest money in something that you hope never happens when you could be funneling cash back into the business?

Fostering a corporate culture that embraces cybersecurity best practices keeps customer data safe and your company’s reputation intact. But security isn’t something you can easily tack on later. It must be ingrained in your company’s culture, and it’s so much easier to start in the early days of your company than scrambling in the aftermath of a data breach.

But how do you get there?

At TechCrunch Early Stage, we asked Casey Ellis, founder, chairman and chief technology officer at Bugcrowd, to share his ideas for how startups can improve their security posture.

Bugcrowd helps companies dip into a huge pool of cybersecurity talent — including hackers and security researchers — to find vulnerabilities. By helping companies identify flaws, they can shore up their defenses before malicious hackers break in. Few know better than Ellis — who’s run Bugcrowd for close to a decade — which policies, procedures and protections companies have put in place to get there.

Extra Crunch subscribers can log in and watch the video below.

Jeff Lawson on API startups, picking a market and getting dissed by VCs

Last week TechCrunch sat down virtually with Jeff Lawson, the CEO and co-founder of Twilio as part of our long-running Extra Crunch Live series. As I expected, the chat was a good use of time.

Why? Lawson was early on the idea that software companies could deliver their features not through a web app, but through an API . Back when Twilio was getting started, the world was still uncertain on the future of cloud. But Twilio was already skating past that puck toward a more distant target.

And his company has been largely proven right in its view of the future. While cloud software is now the de facto position for startups and legacy providers alike, API-powered startups are having one hell of a year according to founders and investors.

The growing wave of API -delivered software is not looking set to slow down, with Lawson telling TechCrunch during our chat that “the world is getting broken down into APIs,” as “every part of the stack of business that a developer might need to build is eventually turning into APIs that developers can use.”

So, expect more startups to ask you to snag an API key instead of signing up for a 12-month commitment. That said, don’t get too excited, yet, as Lawson was also clear during our chat that “not everything that can be broken down into an API will end up being a huge business.”

As Salesforce helped set the stage for SaaS startups in year’s past, Twilio’s $40 billion market cap today could prove a similar North Star for API startups.

A big thanks to the Extra Crunch crew for showing up and helping us ask some fun questions. I’ve snagged some favorite quotes below and embedded the YouTube clip of the whole chat. Let’s go!

Apple launches COVID-19 ‘Exposure Notification Express’ with iOS 13.7 — Android to follow later this month

Apple and Google are continuing to make good on their planned roll-out of exposure notification technology for helping with COVID-19 contact-tracing efforts. The two partners are introducing new tools that make it much easier for public health authorities to implement digital exposure notification, without the need for developing and maintaining their own individual apps. Apple makes this possible via the iOS 13.7 system update, out today, while Google is implementing it with an automatically generated application on Android 6.0, upcoming later this month, a workaround required because of the very different method through which it manages system services and OS updates.

This change in the way the technology works means that users won’t have to actually download and install a dedicated app created by the public health authority (PHA) in their jurisdiction to participate. Instead, you’ll receive a notification that provides information supplied by your local health authority about the exposure notification system and what it does, from which you can choose to opt-in. On iOS, that’ll mean installing a provisioning profile, while on Android, it’ll result in an auto-generated app for your local PHA, which is installed via the Google Play store. Apple and Google clarified that Exposure Notification Express co-exists with, rather than replacing, existing dedicated PHA apps.

PHAs using Exposure Notifications Express can provide Apple and Google with contact information, guidance about care and precautions and recommendations on next steps. PHAs provide their name, logo, criteria for triggering an exposure notification and info to be offered to an indictable in case of exposure using a system that’s easy for non-technical people to use.

Local health authorities will still have to elect to participate and customize the text and messaging delivered to users in their regions when they receive this notification and onboarding info, but they’ll no longer have to develop and distribute their own applications in order to set up a digital exposure notification system based on the combined Apple/Google tech to supplement their contact-tracing efforts. The health authority will also be responsible for determining how they calculate exposure risk, which is what they were able to do with dedicated apps, too. That’s huge, as Apple and Google note that 20 countries globally have already introduced apps based on their API, and 25 U.S. states are “exploring” use of the system, with six states having launched apps so far, making this a system-level feature with a lower technical barrier to entry on the developer/health agency side that should help expedite roll-out.

To start, Apple and Google say they expect DC, Maryland, Nevada and Virginia will be the first to implement Exposure Notification Express sometime soon, with others likely to follow. The companies also said they’re working with the U.S. Association of Public Health Laboratories on a national key server that will effectively allow users to have exposure tracking work across state lines when they’re traveling out of their home health agency district.

There has been a lot of misinformation circulating about contact tracing requiring a threshold of 60% or higher adoption to be effective; that’s based on a misinterpretation of an Oxford study published earlier this year. The researchers behind the study subsequently clarified that in fact, any level of contact tracing, as aided by apps that support digital contact tracing, has a positive effect on reducing the spread of COVID-19, as well as resulting deaths.

The system includes the same privacy protections that Apple and Google have provided throughout, which means your location information is not collected or connected to any exposure notifications. Instead, the tech uses a randomly generated key to track when and where a device has come into Bluetooth range with other devices also using the software. It maintains a log of these random identifiers, and checks against reported confirmed diagnoses (also fully anonymized) to see if there has been any exposure risk — as determined by the definition of exposure in terms of duration and distance as established by each region’s governing public health authority.

Decrypted: Tesla’s ransomware near miss, Palantir’s S-1 risk factors

Another busy week in cybersecurity.

In case you missed it: A widely used messaging app used by over a million protesters has several major security flaws; a little-known loophole has let the DMV sell driver’s licenses and Social Security records to private investigators; and the U.S. government is suing to reclaim over $2.5 million in cryptocurrency stolen by North Korean hackers from two major exchanges.

But this week we are focusing on how a Tesla employee foiled a ransomware attack, and, ahead of Palantir’s debut on the stock market, how much of a risk factor is the company’s public image?


THE BIG PICTURE

Russian charged with attempted Tesla ransomware attack

$1 million. That’s how much a Tesla employee would have netted if they accepted a bribe from a Russian operative to install malware on Tesla’s Gigafactory network in Nevada. Instead, the employee told the FBI and the Russian was arrested.

The Justice Department charged the 27-year-old Russian, Egor Igorevich, weeks later as he tried to flee the United States. According to the indictment, his plan was to ask the employee to deliberately deploy ransomware on the Gigafactory’s network, grinding the network to a halt for a ransom of several million dollars. The would-be insider threat is likely the first of its kind, one ransomware expert told Wired, as financially driven hackers continue to up their game.

Tesla founder Elon Musk tweeted earlier this week confirming that Tesla was the target of the failed attack.

The attack, if carried out, could have been devastating. The indictment said that the malware was designed to extract data from the network before locking its files. This data-stealing ransomware is an increasing trend. These hacker groups not only encrypt a victim’s files but also exfiltrate the data to their servers. The hackers typically threaten to publish the victim’s files if the ransom isn’t paid.

Apple mistakenly approved a widely-used malware to run on Macs

Apple has some of the strictest rules to prevent malicious software from landing in its app store, even if on occasion a bad app slips through the net. But last year Apple took its toughest approach yet by requiring developers to submit their apps for security checks in order to run on millions of Macs unhindered.

The process, which Apple calls “notarization,” scans an app for security issues and malicious content. If approved, the Mac’s in-built security screening software, Gatekeeper, allows the app to run. Apps that don’t pass the security sniff test are denied, and are blocked from running.

But security researchers say they have found the first Mac malware inadvertently notarized by Apple.

Peter Dantini working with Patrick Wardle, a well-known Mac security researcher, found a malware campaign disguised as an Adobe Flash installer. These campaigns are common and have been around for years — even if Flash is rarely used these days — and most run unnotarized code, which Macs block immediately when opened.

But Dantini and Wardle found that one malicious Flash installer had code notarized by Apple and would run on Macs.

The malicious installer was notarized by Apple, and could be run on the latest versions of macOS. (Image: Patrick Wardle/supplied)

Wardle confirmed that Apple had approved code used by the popular Shlayer malware, which security firm Kaspersky said is the “most common threat” that Macs faced in 2019. Shlayer is a kind of adware that intercepts encrypted web traffic — even from HTTPS-enabled sites — and replaces websites and search results with its own ads, making fraudulent ad money for the operators.

“As far as I know, this is a first,” Wardle wrote in a blog post, shared with TechCrunch.

Wardle said that means Apple did not detect the malicious code when it was submitted and approved it to run on Macs — even on the unreleased beta version of macOS Big Sur, expected out later this year.

Apple revoked the notarized payloads after Wardle reached out, preventing the malware from running on Macs in the future.

In a statement, a spokesperson for Apple told TechCrunch: “Malicious software constantly changes, and Apple’s notarization system helps us keep malware off the Mac and allow us to respond quickly when it’s discovered. Upon learning of this adware, we revoked the identified variant, disabled the developer account, and revoked the associated certificates. We thank the researchers for their assistance in keeping our users safe.”

But Wardle said that the attackers were back soon after with a new, notarized payload, able to circumvent the Mac’s security all over again.

Discord says user abuse reports have doubled since last year

Discord has published its latest transparency report for the first six months of this year.

The big takeaway is that the number of overall reports has almost doubled, largely because of the massive spike in user growth during the pandemic to over 100 million monthly active users. The messaging and chat platform, popular with gamers and streamers, is now said to be worth around $3.5 billion.

According to the report, Discord said it received 235,000 reports between January and June 2020, compared to 128,000 reports during the last reporting period between June and December 2019.

Discord said it took action in 65% of cases related to spam — resulting in the removal of four million accounts — and just 13% in cases of harassment. Discord said it’s often clearer when someone is spamming, but the subjective nature of harassment makes it the “least actionable” category of reports.

The percent of user reports actioned between January and June 2020. Image Credits: Discord

That said, Discord said it warns more users about harassment than any other reporting category. Discord issues warnings to educate users about some potentially harmful behavior, rather than outright banning users. For the most part, the warnings appear to work. Discord said it bans just 3% of users who were first given a warning about harassment.

Discord also said it banned 162,621 accounts for posting exploitative content, like posting nonconsensual photos of others. That was the largest category of bans apart from spam. Most of this content was removed proactively by Discord, the company said.

Civil rights groups criticized the company’s earlier reports for not disclosing more about proactive removals.

Discord said it also removed over 5,000 servers each for posting exploitative content, hacks and cheats. The company said it removed 700 servers as part of a network sharing nonconsensual images. “Nonconsensual pornography has no place on our platform, and we’ll continue to take swift action against these communities and their members,” the company said.

Unlike other tech companies, Discord does not reveal the number of law enforcement requests it receives.

Course Hero, a profitable edtech unicorn, raises rare cash

Like any successful founder, Andrew Grauer had bright, long-term ambitions for Course Hero from the moment he launched it in 2006.

He started the business to create a place where students could ask questions and get answers similar to Chegg, which launched 15 months before Course Hero . But as he slowly built it, he was tempted by a larger question: “What would a university look like if it was built by the internet?”

And so, the Redwood City-based startup itched at that nebulous goal throughout the years. Course Hero tested and failed products: free curated e-courses, in-person tutoring and teacher advice and ratings.

Clarity only came when Grauer realized that the core goal Course Hero launched with — giving students a place to ask and answer questions — wasn’t simply one product that should be fit into a broader suite of services. Instead, it was a thesis around which to build products. So, the startup began looking for different ways and formats to organize knowledge and questions and answers.

“That was a breakthrough insight,” Grauer said. The startup stopped launching other business verticals and decided to stick to Q&A as its core — and only — business. It sells Netflix -like subscriptions to students looking for access to learning and teaching content. Teachers and publishers can put course-specific study content on the platform.

GettyImages 960803498

Image Credits: Getty Images/manopjk

In 2020, Course Hero is a profitable business with annual run revenue upward of $100 million.

Today, Course Hero tells TechCrunch that it has raised a new tranche of capital in a Series B extension round of $70 million. The round is now totaling $80 million, bringing Course Hero’s total known venture capital to date to $95 million.

Its $80 million Series B round is one of the largest U.S. funding deals of 2020, and brings Course Hero’s valuation to $1.1 billion.

From a high level, the new raise is not surprising. Other edtech companies have also recently added on more capital to their balance sheets to meet remote learning demand amid the coronavirus pandemic.

But in Course Hero’s case, the new capital comes as a stark contrast to how the business functioned before 2020. After launching, the startup waited eight years to raise a $15 million Series A. Now, after going another nearly six years without raising venture capital, Course Hero has closed two rounds in this year alone.

Grauer tells TechCrunch that the capital will be used for operations, product innovation and feature development. It also plans to use the capital for future acquisitions (in 2012, Course Hero bought an in-person tutoring business).

Course Hero’s change of heart with venture capital boils down to the company meeting new scale demands. Last year, it passed 1 million subscribers on the platform. Now, it is eyeing “many millions” of students, the co-founder says.

Paraphrasing Bill Gates, Grauer said, “We do overestimate what we can do in just three years. And we dramatically underestimate what we can do closer to 10 years.”

Any edtech company that raises money off of current momentum in remote education will have to face the reality of what it is like to grow when remote learning is no longer a necessity. In other words, when the coronavirus pandemic ends, will these same platforms still find surges in usage?

“That’s the risk and reward of raising capital,” Grauer said. He added that “if you raise too much money early on, you can get misaligned expectations based on different time horizons set up by different terms of incoming shareholders or investors.”

Course Hero sees tailwinds in a dynamic that has been brewing since before the pandemic and will likely grow during and after: the growth of “nontraditional students” enrolling in and participating in higher education. Grauer noted that more than 40% of students work 30 hours or more per week. Over a quarter of students are parents, and of that quarter, over 70% are single moms.

“Because that’s the reality, and because we can make an affordable subscription and the economics can work, Course Hero is aligned to serving the majority, the real majority, and that’s the beauty of opportunity,” he said. There is a freemium model, but on an annual plan, a subscription costs $9.95 per month. On a monthly plan, a subscription costs $39.99 per month.

It’s not an opportunity the company hopes to expand into, it’s a reality of its diverse customer base. An internal data analytics survey of Course Hero shows that 58% of students that subscribe work at least part time. Over 25% of subscribers are 35 years old or older, and 22% of subscribers are parents.

Looking ahead, Course Hero hopes to continue to broaden its multisided marketplace.

In July, the business announced it is launching Educator Exchange, which allows college faculty to make money by uploading study materials for fellow teachers or students.

The “direct-to-faculty” relationship could pacify earlier tensions between the platform and teachers by giving the latter a way to monetize on how Course Hero “open sources” creative content on the point of copyright infringement.

Grauer compares Course Hero’s long-term vision to that of Google Maps, in that the platform can make recommendations of content based on other people’s usage.

But we’re not talking recommendations for the closest gas station. Based on how a user learns, Course Hero can recommend a specific professor who has a specific syllabus on a topic in which the user is interested.

“We’ve seen that specificity level differentiates us from others,” he said. “It helps students when they’re doing their real work, that one homework, that studying for one test. And I think that’s where the magic is for us.”

 

Many Canon cameras can now automatically back up pictures to Google Photos

Canon and Google today announced a new software integration that enables automatic Google Photos backup of pictures taken with select Canon cameras – a full list is available here, but it’s most of their recent interchangeable lens cameras dating back basically to when they started getting wifi on board.

The auto backup feature will work via the Canon mobile app, which is available on Android and iOS devices. If you have the most recent version, you can add your Canon camera to the app and set it to automatically transfer full, original-quality photos from your camera to Google Photos when your phone is connected to the camera. That takes out the typically manual process of somehow connecting either your camera or its memory cards physically to either your computer or your smartphone.

This feature does come with some caveats, however, including that it’s only available to Google One members. To ease the financial sting of that requirement (though it’s one of the more affordable and comprehensive cloud photo and data products out there), Canon users new to Google One will get one month of access free, with up to 100GB of cloud storage.

Speaking from experience, I know that a lot of photos I take with my ‘real’ cameras just end up staying on the camera, or on countless backup drives and SD cards I have strewn about. This auto-backup feature makes it much more likely I’ll actually discover and look at more of those photos again – and possibly even print and share them with loved ones. Here’s hoping it expands to other camera-makers in future, too.